The tl;dr on timing attacks is that when comparing 2 values, if your comparison operator returns as soon as it finds it’s first non-matching value it is possible to determine the value by timing how fast it returns.
"ABC123" == "ABC012" # if each character takes 1μs, this will return after 4μs. Thus, we know the first 3 chars are correct. Plug.Crypto.secure_compare("ABC123", "ABC012") # always returns in constant time
secure_compare/2 check if the byte size is the same (if they arent it will return faster.) If the byte size is the same, the function will return slower, but always in a constant time.